Skip to main content

NGFW Internal Scan

This Playbook is part of the Core - Investigation and Response Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.6.0 and later.

This playbook investigates a scan where the source is an internal IP address.

An attacker might initiate an internal scan for discovery, lateral movement and more.

Attacker's Goals:

An attacker can leverage a scan for open ports and vulnerable systems on remote endpoints in an attempt to identify the endpoint operating system, firewall configuration, and exploitable services.

Investigative Actions:

  • Endpoint Investigation Plan playbook

Response Actions

The playbook's response actions are based on the Endpoint Investigation Plan playbook results. In that phase, the playbook will execute:

  • Auto endpoint isolation
  • Manual block indicators
  • Manual file quarantine

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

  • Account Enrichment - Generic v2.1
  • Ticket Management - Generic
  • Containment Plan
  • Endpoint Investigation Plan
  • Endpoint Enrichment - Generic v2.1

Integrations#

This playbook does not use any integrations.

Scripts#

This playbook does not use any scripts.

Commands#

  • closeInvestigation
  • setParentIncidentFields

Playbook Inputs#


NameDescriptionDefault ValueRequired
scannerIPThe scanner IP addressalert.hostipOptional
AutoCloseAlertWhether to close the alert automatically or manually, after an analyst's review.falseOptional
AutoContainmentWhether to execute automatically or manually the containment plan tasks:
* Block indicators
* Quarantine file
* Disable user
Optional
HostAutoContainmentWhether to execute endpoint isolation automatically or manually.Optional
ShouldOpenTicketWhether to open a ticket automatically in a ticketing system. (True/False).FalseOptional
serviceNowShortDescriptionA short description of the ticket.XSIAM Incident ID - ${parentIncidentFields.incident_id}Optional
serviceNowImpactThe impact for the new ticket. Leave empty for ServiceNow default impact.Optional
serviceNowUrgencyThe urgency of the new ticket. Leave empty for ServiceNow default urgency.Optional
serviceNowSeverityThe severity of the new ticket. Leave empty for ServiceNow default severity.Optional
serviceNowTicketTypeThe ServiceNow ticket type. Options are "incident", "problem", "change_request", "sc_request", "sc_task", or "sc_req_item". Default is "incident".Optional
serviceNowCategoryThe category of the ServiceNow ticket.Optional
serviceNowAssignmentGroupThe group to which to assign the new ticket.Optional
ZendeskPriorityThe urgency with which the ticket should be addressed. Allowed values are "urgent", "high", "normal", or "low".Optional
ZendeskRequesterThe user who requested this ticket.Optional
ZendeskStatusThe state of the ticket. Allowed values are "new", "open", "pending", "hold", "solved", or "closed".Optional
ZendeskSubjectThe value of the subject field for this ticket.XSIAM Incident ID - ${parentIncidentFields.incident_id}Optional
ZendeskTagsThe array of tags applied to this ticket.Optional
ZendeskTypeThe type of this ticket. Allowed values are "problem", "incident", "question", or "task".Optional
ZendeskAssigneThe agent currently assigned to the ticket.Optional
ZendeskCollaboratorsThe users currently CC'ed on the ticket.Optional
descriptionThe ticket description.${parentIncidentFields.description}. ${parentIncidentFields.xdr_url}Optional
addCommentPerEndpointWhether to append a new comment to the ticket for each endpoint in the incident. Possible values: True/False.TrueOptional
CommentToAddComment for the ticket.${alert.name}. Alert ID: ${alert.id}Optional

Playbook Outputs#


There are no outputs for this playbook.

Playbook Image#


NGFW Internal Scan